Because it affects the data management of personal data of any EU citizen, regardless of where in the world that data is held. Since Liberty has clients that are citizens of EU nations, it is required to comply with the provisions of GDPR.

There are, in fact, a great many South African companies that are required to comply with GDPR, and the Liberty breach should serve as a wake-up call to these organisations that GDPR compliance is a complex, far-reaching, and non-trivial exercise, because it applies to an extensive set of personal data elements that may be housed in a number of different systems. How many multi-national organisations do you know of that have all their customer, supplier or employee data in a single system?

A number of questions have been levelled at Liberty since the breach became public knowledge.

Why wasn’t the data encrypted? Was it properly secured? Why did their internal controls not pick up the intrusion until the intruders alerted them to it? Is our information safe with Liberty?

While these questions all deserve considered and complete answers, there are other questions that, perhaps, require equal attention.

Do we even know how many of our systems hold personal data?

What is the data used for and who should have access to it?

Are our controls sufficiently deep and robust to detect an intrusion?

How do we guard against attacks from within?

How would we handle a multi-system breach?

Who is responsible for dealing with this?

What is the process for dealing with a breach?

What are the legal implications – both in South Africa and in other jurisdictions where we may be exposed?

How much would a breach like this cost us?

These are data governance questions

GDPR,, and by extension PoPIA,, require sound data governance to ensure that the impact of any potential breach can be quickly understood, and that the relevant data subjects and the regulators can be informed.

Data governance ensures that the right experts are presented with the right knowledge, at the right time, to deal with a crisis of this nature in an informed way, and in compliance with the regulations.

There is a cost to complying with privacy legislation, it is true.

But perhaps the cost of not complying is even higher.

There is a cost to alerting customers.

There is a cost in terms of the time taken by several teams, from IT personnel, to Marketing and Corporate Communications, to develop a considered and co-ordinated response.

There is a cost to the CEO himself spending an hour at a media briefing; along with what ever time he had to focus on this event in order to be prepared. There is the opportunity cost of whatever had to be dropped to deal with this crisis

Not to mention the cost in terms of share price (liberty’s shares dropped 5% after the announcement), customer insecurity, lost business and brand damage.

In Liberty’s case, only a single system is believed to have been compromised.